Microsoft Planning To Disable SSL 3.0 Support in December -- Redmondmag.com

Microsoft Planning To Disable SSL 3.0 Support in December

By Kurt Mackie
10/29/2014

Microsoft gave notice today that it will disable Secure Sockets Layer (SSL) 3.0 support in its Internet Explorer browser and in its Online Services, starting on Dec. 1, 2014.

The announcement ramps up Microsoft's earlier advice to organizations about the SSL 3.0 vulnerability by establishing a firm cut-off date. SSL 3.0 is an older encryption standard that's associated with the HTTPS method for securing Web traffic. Researchers discovered a flaw in SSL 3.0 that can be exploited to carry out so-called "man-in-the-middle"-type attacks, which can lead to the exposure of security information, such as authentication cookies.

The SSL 3.0 exploit is thought to be difficult to carry out. An attacker would have to run hundreds of HTTPS requests to gain the information. But it looks like Microsoft is opting to be proactive in shutting it down, based on today's announcement.

"Although analysis of connections to Microsoft online services shows very few customers still use SSL 3.0, we are providing customers with advance notice of this change so they can update their impacted clients prior to us disabling SSL 3.0," Microsoft's announcement explained.

In response to the vulnerability, Microsoft issued Security Advisory 3009008 earlier this month, which indicates that Windows and Windows Server can be affected by the SSL 3.0 flaw. The security advisory includes workaround advice for disabling SSL 3.0 in both IE and Windows. The SSL 3.0 flaw can also affect Azure Websites and Roles, as well as Virtual Machines.

Today, Microsoft revised that security advisory to include a downloadable "Fix it" MSI file, which is designed to make it easier to disable SSL 3.0 in IE versions. The Fix it can be accessed in this Knowledge Base article.

Microsoft's decision to cut off SSL 3.0 support in December means that IE browsers used with Azure and Office 365 services will have to use the Transport Layer Security (TLS) 1.0, or higher, protocol, going forward. Users might experience connection problems otherwise. The TLS protocol doesn't have this security flaw.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.